- The RondoDox botnet is exploiting a serious vulnerability in unpatched XWiki instances to conduct cyberattacks.
- CVE-2025-24893 is an eval injection flaw enabling remote code execution, patched in recent XWiki versions.
- Exploitation attempts increased sharply in November, involving multiple threat actors and varied attack methods.
- CISA has listed the vulnerability in its Known Exploited Vulnerabilities catalog, imposing federal mitigation deadlines.
- Attacks include deploying cryptocurrency miners, reverse shells, and distributed denial-of-service (DDoS) activity.
The botnet Malware named RondoDox has been actively targeting unpatched instances of XWiki by exploiting a critical security flaw identified as CVE-2025-24893. This vulnerability, classified as an eval injection bug, permits any guest user to execute arbitrary remote code through requests to the “/bin/get/Main/SolrSearch” endpoint. The flaw was addressed in XWiki releases 15.10.11, 16.4.1, and 16.5.0RC1, issued in late February 2025.
Although evidence of exploitation dates back to March, significant activity was reported in late October when VulnCheck observed fresh attempts that leveraged the vulnerability for a two-stage attack deploying cryptocurrency mining software. Following this, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to implement protective measures by November 20.
A recent spike in exploitation attempts was documented by VulnCheck on November 7 and November 11, indicating intensified scanning efforts likely involving multiple threat actors. RondoDox emerged as a primary actor beginning November 3, incorporating this vulnerability as part of its arsenal to recruit compromised devices into a botnet aimed at conducting distributed denial-of-service (DDoS) attacks using HTTP, UDP, and TCP protocols.
Additional attack tactics observed include deploying cryptocurrency miners, attempts to create reverse shells, and generalized probing activities utilizing a Nuclei template for CVE-2025-24893. These events underscore the importance of consistent patch application to maintain security.
Jacob Baines of VulnCheck remarked that “CVE-2025-24893 is a familiar story: one attacker moves first, and many follow. Within days of the initial exploitation, we saw botnets, miners, and opportunistic scanners all adopting the same vulnerability.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
